Insights
Published thinking from the TRION practice. We write infrequently and at length, on the questions our clients are presently asking and on the questions they will soon be asked by their regulators, boards, and auditors.
Configuration management databases were designed for a world in which the asset estate moved quarterly. Modern enterprises change daily. Applications spin up, vendors are replaced, models are retrained, sub-processors are re-tiered. We examine what a "living" CMDB requires, why most TPRM programs are quietly failing on what the CMDB does not know, and what financial institutions can do in the next six months without replacing their platform of record.
Beyond compliance theatre: a practical reading of Articles 9, 15, and 17 through the operating lens of a risk function. What evidence must your AI governance committee be able to produce on demand, which existing risk artifacts already cover ninety percent of it, and where the genuine gaps sit: in model documentation, in human-oversight procedures, and in post-market monitoring.
The standard 300-item vendor questionnaire was designed to be defensible, not informative. We outline a methodology that begins with the artifacts vendors already produce (SOC 2 reports, penetration tests, ISO certificates, AI BOMs) and routes the assessment around them. The result is faster cycle time, higher signal, and a residual-risk position that survives an internal audit.
A platform of record solves a problem of system fragmentation, not a problem of methodology. We examine three common scenarios in which institutions purchase or expand ServiceNow GRC for the wrong underlying reason, and what should have been addressed first. A note for risk leaders preparing to recommend a platform decision to the board.
The artifact a risk function operates (the register, the workflow, the assessment template, the executive dashboard) is the most consequential design problem in the function and the most under-addressed by advisory firms. We propose a discipline of risk architecture: the deliberate, operator-centred design of the artifacts risk programs depend on.
Three regulatory regimes (DORA in Europe, OCC Heightened Standards in the United States, and the Bank of England SS2/21) are converging on a shared operating definition of resilience. We map the overlap, identify the genuine differences, and propose a single resilience-evidence model that satisfies all three.
Subscribe
TRION publishes perspectives on a quarterly cadence. To receive new pieces when they are published, write to us. We add subscribers manually, and the list is not commercial.
